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Overview 

Intel® Active Management Technology (Intel AMT) allows companies to easily manage their networked computers. 

• Discover computing assets on a network regardless of whether the computer is turned on or off - Intel AMT uses 
information stored in nonvolatile system memory to access the computer. The computer can even be accessed while it 
is powered off (also called out-of-band or 00 巨 access). 

• Remotely repair computers even after operating system failures - In the event of a software or operating system 
failure, Intel AMT can be used to access the computer remotely for repair purposes. IT administrators can also detect 
computer system problems easily with the assistance of Intel AMT's out-of-band event logging and alerting. 

• Protect networks from incoming threats while easily keeping software and virus protection up to date across the 
network. 


Software Support 

Several independent software vendors (ISVs) are building software packages to work with Intel AMT features. This provides IT 
administrators many options when it comes to remotely managing the networked computer assets within their company. 


Features and Benefits 


Intel AMT 

Features 

Benefits 

Out-o 卜 band (OOB) access 

Allows remote management of platforms regardless of system power or operating 
system state 

Remote troubleshooting and 
recovery 

Significantly reduces desk-side visits, increasing the efficiency of IT technical staff 

Proactive alerting 

Decreases downtime and minimizes repair times 


Computer Requirements 

The computer referred to in this document consists of the Intel® 5 Series Chipset Family/Intel® PCH platform, and is 
managed by Intel Management Engine. The following firmware and software requirements are required for the installation and 
set up before the Intel Management Engine can be configured and run in the client computer: 

• An SPI flash device programmed with Intel AMT 6.0 flash image integrating BIOS, Intel Management Engine, and GbE 
component images. 

• BIOS set up with Intel AMT enabled can access MEBx setup from F12 menu. 

• To enable all of the Intel Management Engine features within Microsoft Operating System, device drivers (Intel® 
MEI/SOL/LMS) must be installed and configured on the client system for features to work/run correctly run in the client 
system. 

Information on this page provided by Intel ■ 
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巧！ NOTE; The Intel Management Engine BIOS Extension (MEBx) is an optional ROM module provided to DelT"^ from Intel 
that is included in the Dell BIOS. The MEBx has been customized for Dell computers. 
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Out of Box Experience 

The following materials are available with an InteTM Active Management Technology (Intel AMT) computer: 

• Factory installation 

o Intel AMT 6.0 is shipped in the factory-default state from Dell factories. 

• Setup and Quick Reference Guide 

o Intel AMT overview with link to the Dell Technology Guide. 

• Dell Technology Guide 

o High-level Intel AMT overview, setup, provisioning, and support. 

• Backup media 

o Firmware and critical drivers are available on the Resource CD. 

See the Administrator Guide for detailed information about Intel AMT. The guide is posted on the Web and is available with 
the computer manuals on support.dell.com. 

Back to Contents Paae 
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Operational Modes 

Earlier versions of Intel® AMT supported two operational modes - Small and Medium Business (SMB) and Enterprise. In the current 
version, their functionality has been integrated to exhibit the functionality of the earlier Enterprise mode. 


The new configuration options for SMB customers are: Manual Setup and Configuration and Automatic Setup and Configuration. 


Setting 

1 ntel AIVTT 5.0 Default 

1 ntel AMT 6.0 Default 

Enterprise Mode 

SMB Mode 

TLS mode 

Enabled 

Disabled 

Disabled, can be enabled at 
a later time 

Web Ul 

Disabled 

Enabled 

Enabled 

IDER/SOL/KVM 
Redirection network 
interface enabled 

Disabled 

Enabled if feature 
enabled in Intel® MEBx 

Enabled, can be disabled at 
a later time 

Legacy Redirection 
Mode (Controls FW 
listening for incoming 
redirection 
connections) 

Disabled 

Enabled if feature 
enabled in Intel MEBx 

Disabled (set to Enabled to 
work with Legacy SMB 
consoles) 


区 NOTE: KVM is supported only with integrated graphics CPU. The system should be in the integrated 
graphics mode. 

Perform manual configuration using the following steps: 

1. Flash image with system BIOS and FW. 

2. Navigate to the Intel MEBx by pressing the F12 menu and typing the default password admin. After you are logged in, 
change the password. 

3. Navigate to Intel ME General Settings menu. 

4. Select Activate Network Access. 

5. Choose "Y" in the confirmation message. 

6. Exit the Intel MEBx. 

。 NOTE: You can also accomplish the activation through external means or through the operating 
system using the Intel Activator tool. 
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Setup and Configuration Overview 

The following is a list of important terms related to the Intel® AMT setup and configuration. 

• Setup and configuration — The process that populates the Intel AMT-managed computer with usernames, 
passwords, and network parameters that enable the computer to be administered remotely. 

• Configuration service — A third-party application that completes the Intel AMT provisioning. 

• Intel AMT WebGUI — A Web browser-based interface for limited remote computer management. 

You must set up and configure Intel AMT on a computer before using it. Intel AMT setup readies the computer for Intel AMT 
mode and enables network connectivity. This setup is generally performed only once in the lifetime of a computer. When Intel 
AMT is enabled, it can be discovered by management software over a network. 

Once Intel AMT is set up in Enterprise mode, it is ready to initiate configuration of its own capabilities. When all required 
network elements are available, simply connect the computer to a power source and the network and Intel AMT automatically 
initiates its own configuration. The configuration service (a third-party application) completes the process for you. Intel AMT is 
then ready for remote management. This configuration typically takes only a few seconds. When Intel AMT is set up and 
configured, you can reconfigure the technology as needed for your business environment. 

Once Intel AMT is set up in the SMB mode, the computer does not have to initiate any configuration across the network. It is 
set up manually and is ready to use with the Intel AMT Web GUI. 


Intel AMT Setup and Configuration States 

The act of setting up and configuring Intel AMT is also known as provisioning. An Intel AMT-capable computer can be in one 
of three setup and configuration states (SCS): 

• Factory-default state 

• Setup state 

• Provisioned state 

The factory-default state is a fully un-configured state in which security credentials are not yet established and Intel AMT 
capabilities are not yet available to management applications. In the factory-default state, Intel AMT has the factory-defined 
settings. 

The setup state is a partially configured state in which Intel AMT has been set up with initial networking and transport layer 
security (TLS) information: an initial administrator password, the provisioning passphrase (PPS), and the provisioning 
identifier (PID). When Intel AMT has been set up, Intel AMT is ready to receive enterprise configuration settings from a 
configuration service. 

The provisioned state is a fully configured state in which the Intel Management Engine (ME) has been configured with power 
options, and Intel AMT has been configured with its security settings, certificates, and the settings that activate the Intel AMT 
capabilities. When Intel AMT has been configured, the capabilities are ready to interact with management applications. 

Provisioning Methods 

TLS-PKI 

TLS-PKI is also known as "Remote Configuration". The SCS uses TLS-PKI (Public Key Infrastructure) certificates to securely 
connect to an Intel AMT-enabled computer. The certificates can be generated in the following ways: 

• The SCS can connect using one of the default certificates pre-programmed on the computer, as detailed in the MEBx 
interface section of this document. 

• The SCS can create a custom certificate, which can be deployed on the AMT computer by means of a desk-side visit 
with a specially formatted USB thumb drive as detailed in the Configuration Service section of this document. 

• The SCS could use a custom certificate which was pre-programmed at the Dell factory through the Custom Factory 
Integration (CFI) process. 

TLS-PSK 


TLS-PSK is also known as "One-Touch Configuration". The SCS uses PSK's (Pre-Shared Key's) to establish a secure 



connection with the AMT computer. These 52-character keys can be created by the SCS, and then deployed on the AMT 
computer with a desk-side visit in one of two ways: 

• The key can be manually typed into the MEBx. 

• The SCS can create a list of custom keys, and put them onto a specially formatted USB thumb drive. Then each AMT 
computer retrieves a custom key from the specially formatted USB thumb drive during BIOS boot as detailed in the 
Configuration Service section of this document. 

Back to Contents Page 



MEBx Settings Overview 

The Intel® Management Engine BIOS Extension (MEBx) provides platform-level configuration options for you to configure the 
behavior of the Management Engine (ME) platform. Options include enabling and disabling individual features and setting 
power configurations. 

This section provides details about MEBx configuration options and constraints, if any. 

。 NOTE; All the ME Platform Configuration setting changes are not cached in MEBx. They are committed to ME non¬ 
volatile memory (NVM) until you exit MEBx. Hence, if MEBx crashes, the changes made until that point are NOT going 
to be committed to ME NVM. 

Accessing the MEBx Configuration User Interface 

The MEBx configuration user interface can be accessed on a computer through the following steps: 

1. Turn on (or restart) your computer. 

2. When the blue DELL^^ logo appears, press <F12> immediately and select MEBx. 

If you wait too long and the operating system logo appears, continue to wait until you see the Microsoft® Windows® 
desktop. Then shut down your computer and try again. 

3. Type the ME password. Press <Enter>.The default password is 'admin', and it can be altered by the user. 

。 NOTE; Another method to access the MEBx is to press <F12> for the one-time boot menu. When the menu appears, 
use the up- and down-arrow keys to select Intel Management Engine BIOS Extension (MEBx). Press く Enter〉. 

The MEBx screen appears as shown below. 



Intel(R) Management Engine BIOS Extension ぶ * 日 i3>B0i 日/ [nteUfi] ME vB.0.3. 1195 
Copyright(C) 20 日 3 。 日日 Intel Corporation, fit I Rights Keser^ed. 

[ m\H MENU ] 

lute I (R) ME Genera I Settings > 

Intel(R) flHT Configuration ► 

Eh it 



The main menu presents three function selections: 

• Intel ME General Settings 

• Intel AMT Configuration 

• Exit 


。 NOTE; Intel MEBx will display only detected options. If one or more of these options do not appear, verify that the 
system supports the relevant missing feature. 


Changing the Intel ME Password 

The default password is admin and is the same on all newly deployed platforms. You must change the default password before 
changing any feature configuration options. 

When an IT administrator first enters the Intel MEBx configuration menu with the default password, he or she must change 
the default password before any feature can be used. 

The new password must include the following elements: 

• Eight characters, no more than 32 

• One uppercase letter 

• One lowercase letter 
■ A number 

• A special (non-alphanumeric) character, such as \, $, or ; excluding the and , characters.) 

巧！ NOTE: The underscore ( _ ) and spacebar are valid password characters but do NOT add to the password complexity. 
Information on this page provided by Intel ■ 
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ME General Settings 

To navigate to the Intel® Management Engine (ME) Platform Configuration page, follow these steps: 

1. Under the Management Engine BIOS Extension (MEBx) main menu, select Intel ME General Settings. Press く Enter〉. 

2. The following message appears: 

Acquiring General Settings configuration 

The ME General Configuration page appears. This page allows the IT administrator to configure the specific functionality of 
the Intel ME, such as password, power options, and so on. Below are quick links to the various sections. 

• Intel ME State Control 

• Change Intel ME Password 

• Password Policy 

• Network Setup 

o Network Name Settings 

- Host Name 

■ Domain Name 
- FODN 

■ Dynamic DNS 

■ Periodic Update Interval 

- 皿 

■ Previous Menu 
o TCP/IP Settings 

■ Wired LAN IPv4 Configuration 

- DHCP Mode 

■ IPv4 Address 

■ Default Gateway Address 

■ Preferred DNS Address 

■ Alternate DNS Address 

■ Previous Menu 

■ Wired LAN IPv6 Configuration 

■ IPv6 Feature Selection 

■ IPv6 Interface ID Type 

■ IPv6 Address 

■ IPv6 Default Router 

■ Preferred DNS IPv6 Address 

■ Alternate DNS IPv6 Address 

■ Previous Menu 

■ Wireless LAN IPv6 Configuration 

■ IPv6 Feature Selection 

■ IPv6 Interface ID Type 

■ Previous Menu 

• UnconfiQure Network Access 

• Remote Setup And Configuration 

o Current Provisioning Mode 

o Provisioning Record 

■ Start Configuration 

■ Previous Menu 

o Provisioning Server IPv4/IPv6 

o Provisioning Server FQDN 

o TLS PSK 

■ Set PIP and PPS 

■ Deleting PIP and PPS 

■ Previous Menu 
O TLS PKI 

■ Remote Configuration 

- PKI DNS Suffix 

■ Manage Hashes 

■ Adding Customized Hash 

- Deleting a Hash 
- Changing the Active State 

■ Viewing a Certificate Hash 

■ Previous Menu 
o Previous Menu 

• FW Update Settings 

o Local FW Update 
o Secure FW Update 


























































o Previous Menu 

• Set PRTC 

• Power Control 

o Intel ME ON in Host Sleep 

o Idle Time Out 
o Previous Menu 


Intel ME State Control 

When the ME State Control option is selected on the ME Platform Configuration menu, the ME State Control menu 
appears. You can disable ME to isolate the ME computer from the main platform until the end of the debugging process. 


te1(B) Management Engine BIOS Extension vB.0.3.0008/Inte1(B) ME u6.0.0.1142 
Copyright(C) Z003-09 Intel Corporation. All Bights Reserved. 

[ INTELCH) ME PLATFORM CONFIGUHflTION ] 

Change ME Password 
Password Policy 

Network Setup 卜 

Unconfigure Network Access 
Remote Setup And Configuration 卜 

FM Update Settings 卜 

Set PHTC 


[ESC]=Exit けん ] =Select [ENTER]=ficcess 



The Intel ME State Control option (enable/disable) provides the ability to disable the Intel ME for debugging purposes. 
Disabling the Intel ME through the MEBx prevents the Intel ME code from executing. This allows an IT technician to eliminate 
the Intel ME as the potential problem. 


ME Platform State Control 

Option 

Description 

Enabled 

Enable the Management Engine on the platform 

Disabled 

Disable the Management Engine on the platform 


。 NOTE: "Disabling" the Intel ME does not really disable it. It causes the Intel ME code to be halted at an early stage of 
the Intel ME's booting so that the system has no traffic originating from the Intel ME on any of the buses. This is not 
intended to be normal operation mode nor is it supported configuration and is for debug only. This allows an IT 
technician to debug a system problem without any interference from the Intel ME. 


Change Intel ME Password 

1. At the Intel ME New Password prompt, type your new password. (Please be aware of the password policies and 
restrictions me 口 tioned i 口 changing the Intel ME Password requirement ) 

2. At the Verify Password prompt, re-type your new password. 
























IntelCH) Management Engine BIDS Extension y 己，曰 - 1-00 白 3 
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Password Policy 

This option determines when the user is allowed to change the Intel MEBx password through the network. 
。 NOTE: The Intel MEBx password can always be changed via the Intel MEBx user interface. 


IntelCRI Management Engine BIDS Extension y 丘 -B-l- 白白 03 
CopyrighttCJ 2003 -白 8 Intel Corporation- All Rights Reserved - 
[ IMTELCH) HE PLflIFDRn COHFIGURATI 扫 H 3 
IntelCR) ME State Control 
Change ME Passuord 



Network Setup ^ 

Act … ate Netuiork Access 
Unconfigure Network Access 
Remote Setup find Configuration ^ 

FW Update Settings ^ 


[ESC ]=Exit けん 3 =Se lect CENTER 3 =ficcess 



[]DURING SETUP AND CONFIGURATION 
E ] ANVTIME 


Description of these options. 
















• Default Password Only — The Intel MEBx password can be changed through the network interface if the default 
password has not been changed yet. 

• During Setup and Configuration — The Intel MEBx password can be changed through the network interface during 
the setup and configuration process but at no other time. Once the setup and configuration process is complete, the 
Intel MEBx password cannot be changed via the network interface. 

• Anytime — The Intel MEBx password can be changed through the network interface at any time. 


Network Setup 

Under the Intel ME Platform Configuration menu, select Network Setup and press Enter. 
The Intel ME Platform Configuration menu changes to the Intel ME Network Setup page. 


Network Name Settings 

Under the Intel ME Network Name Settings, select Intel ME Network Name Settings and press Enter. 


IntelCR) Management Engine BIDS Extension v 己， 0-1.0 白 03 
CopyrightCC) 乙 003-08 Intel Corporation- All Rights Reserved - 



1.Host Name 

Under the Intel ME Network Name Settings, select Host Name and press Enter. 

A host name can be assigned to the Intel AMT machine. This will be the host name of the Intel AMT-enabled system. 











IntelCR) Management Engine BIDS Extension v 己， 0-1 - 邮 03 
Copyright CO 乙 003-08 Intel Corporation- All Rights Reserved - 



2. Domain Name 


Under the Intel ME Network Name Settings, select Domain Name and press Enter. 
A domain name can be assigned to the Intel AMT machine. 


IntelCR) Management Engine BIDS Extension v 己， 0-1-0003 
CopyrightCC) 乙 003-08 Intel Corporation- All Rights Reserved, 
I INTELCH) ME NETWORK NAME SETTINGS ] 


Host Name 

Shared^Dedicated FQDN 
Dynamic DNS Update 
Previous Menu 



[ESC 卜 Exit 


[ENTER]=Subn 


3. Shared/Dedicated FQDN 


















Under the Intel ME Network Name Settings, select Shared/Dedicated FQDN and press Enter. 


te1(B) Management Engine BIOS Extension vB.0.3.0008/Inte1(B) ME u6.0.0.1142 
Copyright(C) Z003-09 Intel Corporation. All Bights Reserved. 
[INTEL(R) ME NETNDRK NAME SETTINGS ] 

Host Name 

Dona in Name _ 

Dynamic DNS Update 
Previous Menu 



けん ] =Se lect [ENTER] =ficcess 


[ESC]=Exi 



This setting determines whether the Intel ME Fully Qualified Domain Name (FQDN) (that is, the "HostName.DomainName") is 
shared with the host and identical to the operating system machine name or dedicated to the Intel ME. 


Option 

Description 

Dedicated 

The FQDN domain name is dedicated to ME 

Shared 

The FQDN domain name is shared with the Host 


4. Dynamic DNS Update 


Under the Intel ME Network Name Settings, select Dynamic DNS Update and press Enter. 
















IntelCR) Management Engine BIDS Extension v 己， 0-1- 白 003 
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If Dynamic DNS Update is enabled, then the firmware will actively try to register its IP addresses and FQDN in DNS using the 
Dynamic DNS Update protocol. If DDNS Update is disabled, then the firmware will not make an attempt to update DNS using 
DHCP option 81or Dynamic DNS update. If the DDNS Update state (Enabled or Disabled) is not configured by the user at all, 
then the firmware will assume its old implementation where the firmware used DHCP option 81 for DNS registration but did 
not directly update DNS using the DDNS update protocol. For selecting "Enabled" for Dynamic DNS Update, it is required that 
the Host Name and Domain Name are set. 


Option 

Description 

Enabled 

The Dynamic DNS Update Client in FW is enabled. 

Disabled 

The Dynamic DNS Update Client in FW is disabled. 


5. Periodic Update Interval 


1. Under the Intel ME Network Name Settings, select Periodic Update Interval and press Enter. 

2. Type the desired interval and press Enter. 















ite 1(R) Managenent Engine BIOS Extension mB. 0.3. 0010/ Inte1(R) ME mG. 0.0.IIBI 
Copyright(C) 2003-09 Intel Corporation. All Bights Beserued. 
[INTEL(B) ME NETNDRK NAME SE ： rT"GS ] 

Host Name 
Dona in Name 
Shared/Dedicated FQDN 
Dynamic DNS Update 



TTL 

Previous Menu 


Ualue = 0 or >= 20 



[ESC 卜 Exit [ENTER] ゴ ubm け 


。 NOTE; This option is only available when Dynamic DNS Update is enabled. 


Defines the interval at which the firmware DDNS Update client will send periodic updates. It should be set according to 
corporate DNS scavenging policy. Units are minutes. A value of 0 disables periodic update. The value set should be equal or 
greater than 20 minutes. The default value for this property is 24 hours -1440 minutes. 


6, TTL 


1. Under the Intel ME Network Name Settings, select TTL and press Enter. 

2. Type the desired time (in seconds) and press Enter. 











te1(B) Management Engine BIOS Extension vB.0.3. 0010/ Inte1(B) ME u6.0.0.1161 
Copyright(C) Z003-09 Intel Corporation. All Bights Reserved. 
[INTEL(R) ME NETNDRK NAME SEUINGS ] 

Host Name 
Domain Name 
Shared/Dedicated F 叫 N 
Dynamic DNS Update 
Periodic Update Interval 

Previous Menu 



。 NOTE: This option is only available when Dynamic DNS Update is enabled. 

This setting allows configuring the TTL time in seconds. This number should be greater than zero. If set to zero, the firmware 
uses its internal default value, which is 15 min or 1/3 of lease time for DHCP. 

7. Previous Menu 


1. Under the Intel ME Network Name Settings, select Previous Menu and press Enter. 

2. The Intel ME Network Name Settings menu changes to the Intel Network Setup page. 

TCP/IP Settings 

1. Under the Network Setup menu, select TCP/IP Settings and press Enter. 

2. The Intel ME Network Name Settings menu changes to the Intel Network Setup page. 

The Intel Network Setup menu changes to the TCP/IP Settings page. 

。 NOTE; The Intel MEBx has menus for Wireless IPv6, but no menu for wireless IPv4. When the Intel MEBx starts, it will 
check for the wireless interface to make the decision to display the wireless IPv6 menu or not. 

Wired LAN IPv4 Configuradon 


Under the TCP/IP Settings, select Wired LAN IPv4 Configuration and press Enter. 
The TCP/IP Settings menu changes to the Wired LAN IPv4 Configuration page. 









te1(R) Managenent Engine BIOS Extension mB. 0.3. 0010/ Inte 1(R) ME mG. 0.0.IIBI 
Copyright(C) 2003-09 Intel Corporation. All Bights Beserued. 

[ TCP/IP SETTINGS ] 



1.DHCP Mode 


Under Wired LAN IPv4 Configuration, select DHCP Mode and press Enter. 

The TCP/IP Settings menu changes to the Wired LAN IPv4 Configuration page. 

ENABLED: If DHCP Mode is enabled, TCP/IP settings will be configured by a DHCP server. More options will be displayed on 
the screen. Select ENABLED and press Enter, no additional steps are required. 

DHCP mode enabled. 


te1(B) Managenent Engine BIOS Extension vB.0.3.0008/Inte1(B) ME u6.0.0.1142 
Copyright(C) Z003-09 Intel Corporation. All Bights Reserved. 

[ MIRED LAN IP り 4 CONFIGURATION ] 

Previous Menu 


[ESC]=Exit けん ] =Select [ENTER]=ficcess 






















Select DISABLED and press Enter. If you disable DHCP, more options will be displayed. 


DHCP mode disabled. 


te1(B) Management Engine BIOS Extension vB.0.3.0008/Inte1(B) ME u6.0.0.1142 
Copyright(C) Z003-09 Intel Corporation. All Bights Reserved. 

[ MIRED LAN IP り 4 CONFIGURATION ] 

IPU4 Address 
Subnet Mask Address 
Default Gate 山 ay Address 
Preferred DNS Address 
Alternate DNS Address 
Previous Menu 



2. IPv4 Address 


Select IPv4 Address and press Enter. 

Type the IPv4 Address in the address column and press Enter. 


te1(R) Managenent Engine BIOS Extension mB. 0.3. 0008/ Inte 1(R) ME mG. 0.0.1142 
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3. Subnet Mask Address 


Select Subnet Mask Address and press Enter. 

Type the Subnet Mask Address in the address column and press Enter. 
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4. Default Gateway Address 

Select Default Gateway Address and press Enter. 

Type the Default Gateway Address in the address column and press Enter. 


te 1(B) Managenent Engine BIDS Extension vB. 0.3.0008/Inte 1(B) ME ^*6.0.0.114Z 
Copyright(C) Z003-09 Intel Corporation. All Rights Reserved. 

[ MIRED LAN IPU4 CONFIGURATION ] 

DHCP Mode 
IPU4 Address 
Subnet Mask Address 



Preferred DNS Address 
Alternate DNS Address 
Previous Menu 



Default Gateway address 



[ESC]=Ek け 


[ENTEH] ゴ ub 



















5. Preferred DNS Address 


Select Preferred DNS Address and press Enter. 

Type the Preferred DNS Address in the address column and press Enter. 


ite 1(R) Managenent Engine BIOS Extension mB. 0.3. 0008/ Inte1(R) ME mG. 0.0.1142 
Copyright(C) 2003-09 Intel Corporation. All Bights Beserued. 

[ MinSD LAN IF り 4 CONFIGUHflTION ] 

DHCP Mode 
IPU4 Address 
Subnet Mask Address 
Default Gateway Address 



Alternate DNS Address 
Previous Menu 


Preferred DNS address 



[ESC 卜 Exit [ENTER] ゴ ubm け 


6. Alternate DNS Address 


Select Alternate DNS Address and press Enter. 

Type the Alternate DNS Address in the address column and press Enter. 


te1(R) Managenent Engine BIOS Extension mB. 0.3. 0008/ Inte 1(R) ME mG. 0.0.1142 
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[ESC 卜 Exit 






















7. Previous Menu 


Under the Wired LAN IPv4 Configuration, select Previous Menu and press Enter. 
The Wired LAN IPv4 Configuration menu changes to the TCP/IP Settings menu. 


Wired LAN IPv6 Configuration 


Under the TCP/IP Settings, select Wired LAN IPv6 Configuration and press Enter. 

The TCP/IP Settings menu changes to the Wired LAN IPv6 Configuration page. 

The Intel ME IPv6 addresses are dedicated and not shared with the host operating system. To enable Dynamic DNS 
registration for IPv6 addresses, a dedicated FQDN must be configured. 


te1(R) Managenent Engine BIOS Extension mB. 0.3. 0008/ Inte 1(R) ME mG. 0.0.1142 
Copyright(C) 2003-09 Intel Corporation. All Bights Beserued. 


r UTDPn TOM TDUC r'nup TmiDOT Tnu i 



巧！ NOTE; The Intel ME network stack supports a multi-homed IPv6 interface. Each network interface can be configured 
with the following IPv6 addresses: 

1. One link local auto-configured address 

2. Three auto-configured global addresses 

3. One DHCPvG configured address 

4. One statically configured IPv6 address 

1.IPv6 Feature Selection 


Under the Wired LAN IPv6 Configuration, select IPv6 Feature Selection and press Enter. 
DISABLED: select 'Disabled' and press Enter. IPv6 Feature Selection is disabled. 












ite 1(B) Management Engine BIOS Extension vB.0.3.0008/Inte1(B) ME vB. 

Copyright(C) Z003-09 Intel Corporation. All Bights Reserved 


■114Z 



[ESC]=Exit 


[t^]=Select 


[ENTER]=flccess 



ENABLED: select 'Enabled' and press Enter. 

IPv6 Feature Selection is enabled as more configuration is allowed. 


te1(R) Managenent Engine BIOS Extension mB. 0.3. 0008/ Inte 1(R) ME mG. 0.0.1142 
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[ MIHED LAN IF り日 CDNFIGURRTIDN ] 

IPUB Interface ID Type 
IPUB Address 
IPUG Default Router 
Preferred DNS IPUB Address 
Alternate DNS IPUB Address 
Previous Menu 



2. IPv6 Interface ID Type 


Under the Wired LAN IPv6 Configuration, select IPv6 Interface ID Type and press Enter. 

The auto-configured IPv6 address consists of two parts; the IPv6 Prefix set by the IPv6 router is the first part and the 
interface ID is the second part (64 bits each). 























Option 

Description 

Random 

ID 

The IPv6 Interface ID is automatically generated using a random number 
as described in RFC 3041. This is the default. 

Intel ID 

The IPv6 Interface ID is automatically generated using the MAC address. 

Manual 

ID 

The IPv6 Interface ID is configured manually. Selecting this type requires 
that the Manual Interface ID is set with a valid value. 
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[ MIRED LAN IPUB CONFIGURATION ] 

IPUG Feature Select ion 

IPUB Address 
IPUG Default Router 
Preferred DNS IPUB Address 
Alternate DNS IPUB Address 



3. IPv6 Address 


Under the Wired LAN IPv6 Configuration, select IPv6 Address and press Enter. 
Type the IPv6 Address and press Enter. 
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[ MIRED LAN IP り G CONFIGUHflTION ] 

IPUB Feature Select ion 
IPUB Interface ID Type 



IPUG Default Bouter 
Preferred DNS IPU6 Address 
Alternate DNS IPUG Address 
Previous Menu 


IPU6 address (e.g. 2001:dbB::142B: 日 or any other yalid IPU6 address) 


[ESC]=Ek け [ENTEH] ゴ ubn け 


4. IPv6 Default Router 


Under the Wired LAN IPv6 Configuration, select IPv6 Default Router and press Enter. 
Type the IPv6 Default Router and press Enter. 
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[ MIRED LAN IPUB CONFIGURATION ] 

IPUB Feature Select ion 
IPUB Interface ID Type 
IPUB Address 



Preferred DNS IPUB Address 
Alternate DNS IPUB Address 
Previous Menu 


IPU6 address (e.g. 2001:dbB::142B: 日 or any other valid IPU6 address) 


[ESC]=Ek け [ENTEH] ゴ ubn け 


5. Preferred DNS IPv6 Address 
























Under the Wired LAN IPv6 Configuration, select Preferred DNS IPv6 Address and press Enter. 
Type the Preferred DNS IPv6 Address and press Enter. 
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[ MIRED LAN IP り G CONFIGURATION ] 

IPUB Feature Select ion 
IPUB Interface ID Type 
IPUB Address 
IPUG Default Bouter 



Alternate DNS IPUG Address 
Previous Menu 


IPU6 address (e.g. 2001:dbB::142B: 日 or any other yalid IPU6 address) 


[ESC]=Ek け [ENTEH] ゴ ubn け 


6. Alternate DNS IPv6 Address 

Under the Wired LAN IPv6 Configuration, select Alternate DNS IPv6 Address and press Enter. 
Type the Alternate DNS IPv6 Address and press Enter. 
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[ MIRED LAN IPUB CONFIGURATION ] 

IPUB Feature Select ion 
IPUB Interface ID Type 
IPUB Address 
IPUG Default Bouter 
Preferred DNS IPUB Address 



IPU6 address (e.g. 2001:dbB::142B: 日 or any other yalid IPU6 address) 


[ESC]=Ek け 


[ENTER]=Subn 
























7. Previous Menu 


Under the Wired LAN IPv6 Configuration, select Previous Menu and press Enter. 
The Wired LAN IPv6 Configuration menu changes to the TCP/IP Settings menu. 


Wireless LAN IPv6 Configuration 


Under the TCP/IP Settings, select Wireless LAN IPv6 Configuration and press Enter. 
The TCP/IP Settings menu changes to the Wireless LAN IPv6 Configuration page. 
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[ WIRELESS LAN IPU 巨 CONFIGURATION ] 


IPUB Interface ID Type 
Previous Menu 




1.IPv6 Feature Selection 


Under the Wireless LAN IPv6 Configuration, select IPv6 Feature Selection and press Enter. 
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[ WIHELESS LAM IP り日 CONFIGURATION ] 



IPUG Interface ID Type 
Previous Menu 



2. IPv6 Interface ID Type 


Under the Wired LAN IPv6 Configuration, select IPv6 Interface ID Type and press Enter. 

The auto-configured IPv6 address consists of two parts; the IPv6 Prefix set by the IPv6 router is the first part and the 
interface ID is the second part (64 bits each). 


Option 

Description 

Random 

ID 

The IPv6 Interface ID is automatically generated using a random number 
as described in RFC 3041. This is the default. 

Intel ID 

The IPv6 Interface ID is automatically generated using the MAC address. 

Manual 

ID 

The IPv6 Interface ID is configured manually. Selecting this type requires 
that the Manual Interface ID is set with a valid value. 
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[ WIRELESS LRN IP り日 CDNFIGURRTIDN ] 


IPUB Feature Selection 



Previous Menu 



3. Previous Menu 


Under the Wireless LAN IPv6 Configuration, select Previous Menu and press Enter. 
The Wireless LAN IPv6 Configuration menu changes to the TCP/IP Settings menu. 


Unconfigure Network Access 

1.Under the Intel ME Platform Configuration menu, select Unconfigure Network Access and press Enter. 


。 NOTE; This will cause Intel ME to transition to the PRE-provisioning state. 










Intel(R) Managenent Engine BIDS Exteifision u 巨 - 0-1-0 曰 03 
Copyright(C) 2 白 03 ■白 8 Intel Corporation- All Rights Reserved - 
I INTELtR) ME PLATFORM CONFIGURflTIDH 3 
IntelCR) ME State Control 
Change ME Password 
Password Policy 

Network Setup ^ 

Activate Network Access 
Uncomfigiire Network Access 
Remote Setup find Configuration 卜 

FW Update Settings 卜 


[ESC]=Exit [ すん ] =Select [ENTER]=ficcess 


=EC な ut ion 3 = 

Resets netuork settings including network flCLs 
to factory defaults. System resets on MEBx exit. 

CoFit inuB ： (V/M5 


2. Select Y to unconfigure. 
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Copyright(C) 乙 003-08 Intel Corporatiom- All Rights Reserved - 
[ fHTELtRl ME PLfiTFOHM COHFIGURfillQN ] 

Intel の ） ME State Control 
Change ME Password 
Passuord Policy 

Network Setup 卜 

flcTivate Network Access 
Unconfigure Network Access 
Remote Setup find Configuration 户 

FW Update Settings ^ 


EESC ] =Ex it けり =Se lect CENTER] =ficcess 



3. Select Full Unprovisioning and press Enter. 
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[ fNTELCR) rtE PLATFORM CQHFIGURfiTlOH ] 

Intel の ） ME State Covitrol 
Change ME Password 
Password Policy 
Network Setup 
Activate Network Access 



Remote Setup find Configuration 
FW Update Settings 


EESC 3 =Ex it [ すん ] =Se lect EENTEFI] =Access 




4. Unprovisioning in progress. 


IntelCR) Management Engine BIDS Extension v 己， 0-1-0003 
CopyrightCC) 乙 003-08 Intel Corporation- All Rights Reserved - 
[ INTELCR) ME PLATFORM CONFIGURATIDM 1 
IntelCR) ME State Control 
Change ME Password 
Password Policy 

Network Setup ^ 

Activate Network Access 



Remote Setup find Configuration K 

FW Update Settings K 


CESCl=Exit [ すん ] =Select [ENTER]=ficcess 


Full Unproyision 


Un-Provision IntelCR) AMI in progress- -- 


Remote Setup and Configuration 

Under the Intel ME Platform Configuration menu, select Automated Remote Setup and Configuration and press Enter. 
The Intel ME Platform Configuration menu changes to the Automated Remote Setup and Configuration page. 
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[ INTELCH) AUTOMATED SETUP AND CONFIGUHflTION ] 

Proyis ioning Record 
nCFG 卜 

Provisioning Server IPU4/IPUG 
Pro リ is ioning Server FQDN 
TLS PSK 卜 

TLS PKI 
Previous Menu 


[ESC]=Exit けん ] =Select [ENTER]=ficcess 



Current Provisioning Mode 


Under Automated Setup and Configuration, select Current Provisioning Mode and press Enter. 
Current Provisioning Mode - Displays the current provisioning TLS Mode: None, PKI, or PSK. 
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Provisioning Record 
























Under Automated Setup and Configuration, select Provisioning Record and press Enter. 

Provisioning Record - Displays the system's provision PSK/PKI record data. If the data has not been entered, the Intel 
MEBx displays a message stating 、、 Provision Record not present". 
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If the data is entered, the Provision record will display as below: 


Option 

Description 

TLS 

provisioning 

mode 

Displays the current configuration mode of the system: None, PSK or PKI. 

Provisioning IP 

The IP address of the setup and configuration server. 

Date of 

Provision 

Displays the date and time of the provisioning in the format MM/DD/YYYY at 

DNS 

Indicates whether the "PKI DNS Suffix" was configured in Intel MEBx before remote 
configuration took place or not. A value of 0 indicates that the DNS suffix was not 
configured and the firmware will rely on DHCP option 15 and compare this suffix to the 

FQDN in the Configuration Server's client certificate. A value of 1 indicates that the DNS 
suffix was configured and the firmware matched it against the DNS suffix in the 

Configuration Server's client certificate. 

Host Initiated - Indicates whether the setup and configuration process was initiated by the 
host: 'No' indicates that the setup and configuration process was NOT host-initiated, 'Yes' 
indicates the setup and configuration process was host-initiated (PKI only). 

Hash Data 

Displays the 40-character certificate hash data (PKI only). 

Hash Algorithm 

Describes the hash type. Currently, only SHAl is supported. (PKI only). 

IsDefault 

Displays 'Yes' if the hash algorithm is the default algorithm selected. Displays 'No' if the 
hash algorithm is NOT the default algorithm used (PKI only). 

FQDN 

FQDN of the provisioning server mentioned in the certificate (PKI only). 

Serial Number 

The 32-character string that indicates the Certificate Authority serial numbers. 

Time Validity 
Pass 

Indicates whether the certificate passed the time validity check. 


RCFG 




























Under the Intel Automated Remote Setup and Configuration menu, select RCFG and press Enter. 

The Intel Automated Remote Setup and Configuration menu changes to the Intel Remote Configuration page. 
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[ INTELCH) REMOTE CDNFIGURRTION ] 

Previous Menu 



Start Configuration 


Under the Intel Remote Configuration menu, select Start Configuration and press Enter. 
If Remote Configuration is not activated, Remote configuration cannot occur. 

To activate (enable) remote configuration, select Y. 
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[ "TELm REMOTE CONFIGURATION ] 

Start Configuration 
Previous Menu 


[ESC]=Exit [ 个ム ] =Select [ENTER]=Access 


[Caution] 

This will activate Remote Comiguration. 
CGifit inue : け / N) 





















Previous Menu 


Under the Intel Remote Configuration menu, select Previous Menu and press Enter. 

The Intel Remote Configuration menu changes to the Intel Automated Setup and Configuration page. 


Provisioning Server IPv4/IPv6 

Under the Intel Automated Setup and Configuration menu, select Provisioning Server IPv4/IPv6 and press Enter. 
1.Type the provisioning server address and press Enter. 
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[ INTELCH) AUTOMATED SETUP AND CDNFIGURRTIDN ] 


Current Provis ioning Mode 
Proyis ioning Record 
nCFG 



Proyis ioning Server FQDN 
TLS PSK 
TLS PKI 
Previous Menu 


Provisioning server address 


[ESC]=Ek け [ENTEH] ゴ ubn け 


2. Type the provisioning server port number and press Enter. 


The port number (0 - 65535) of the Intel AMT provisioning server. The default port number is 9971. 
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[ INTELCH) AUTOMATED SETUP AND CONFIGUHflTION ] 


Current Provis ioning Mode 
Proyis ioning Record 
nCFG 卜 



Pro リ is ioning Server FQDN 
TLS PSK 卜 

TLS PKI 
Previous Menu 


Port number (0-65535) 
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Provisioning Server FQDN 

Under the Intel Automated Remote Setup and Configuration menu, select Provisioning Server FQDN and press Enter. 
Type the FQDN of the provisioning server and press Enter. 


IntelCR) Management Engine BIDS Extension v 己， 0-1-0003 
: 卜 Ex it CENTER ]=Suibn its Reserved - 

E INTELCH) AUTOMATED SETUP AND CONFIGURfilION ]^[^= 
Current Provisioning Mode 
Provisioning Record 
HCFG 


Provisioning Server IP 



TLS PSK 
TLS PKI 
Previous Menu 


Enter FQDN of provisioning server 


FQDN of the provisioning server mentioned in the certificate (PKI only). This is also the FQDN of the server that AMT 
sends hello packets to for both PSK and PKI. 



















TLS PSK 


Under the Intel Automated Setup and Configuration menu, select TLS PSK and press Enter. 

The Intel Automated Remote Setup and Configuration menu changes to the Intel TLS PSK Configuration page. 

This submenu contains the settings for TLS PSK configuration settings_ 
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CESCl =Exit E すん ] =Select [ENTER ] =ficcess 



Set PID and PPS 


Under the Intel TLS PSK Configuration menu, select Set PID and PPS and press Enter. 
Type PID and press Enter. 

Type PPS and press Enter. 










Setting the PID/PPS will cause a partial unprovision if the setup and configuration is 、、 In-process". The PID and PPS should be 
entered in the dash format. (Ex. PID: 1234-ABCD ; PPS: 1234-ABCD-1234-ABCD-1234-ABCD-1234-ABCD). 

。 NOTE: A PPS value of'0000-0000-0000-0000-0000-0000-0000-0000'will not change the setup configuration state. If 
this value is used, the setup and configuration state will remain 'Not-started'. 


Deleting PID and PPS 


Under the Intel TLS PSK Configuration menu, select Delete PID and PPS and press Enter. 

This option deletes the current PID and PPS stored in Intel ME. If the PID and PPS were not entered previously, the Intel 
MEBx will return an error message. 

To delete the PID and PPS entries, select Y, else N. 
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： ESC]=Exit 


E すん ] =Select 


[ENTER] =ficcess 



Previous Menu 


Under the Intel TLS PSK Configuration menu select Previous Menu and press Enter. 

The Intel TLS PSK Configuration menu changes to the Intel Automated Setup and Configuration page. 


TLS PKI 

Under the Intel Automated Setup and Configuration menu, select TLS PKI and press Enter. 

The Intel Automated Remote Setup and Configuration menu changes to the Intel Remote Configuration page. 

Remote Configuration 

Under the Intel Remote Configuration menu, select Remote Configuration and press Enter. 

Enabling/Disablinq Remote configuration will cause a partial un-provision if the setup and configuration server is ''In-process''. 


Option 

Description 

Disabled 

Remote configuration is disabled. Only 'Remote Configuration' and 
'Previous Menu' items are visible. 

Enabled 

Remote configuration is enabled, this will show additional fields. 


To Disabled: Select Disabled and press Enter. 
To Enabled: Select Enabled and press Enter. 
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[ INTEL(R) REMOTE CDNFIGURflIION ] 

PKI DNS Suffix 
Manage Hashes 
Previous Menu 


[ESC]=Exit E すん ] =Select [ENTER]=ficcess 



PKI DNS Suffix 

Under the Intel Remote Configuration menu, select PKI DNS Suffix and press Enter. 
Type the PKI DNS Suffix and press Enter. 



Manage Hashes 



















Under the Intel Remote Configuration menu, select Manage Hashes and press Enter. 
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I MAIN MENU ] i ： 

Remote Configuration — 

PKI DNS Suffix 
Manage Hashes 
Previous Menu 



Selecting this option will enumerate the hashes in the system and display the Hash Name and the active and default state. If 
the system does not contain any hashes yet, Intel MEBx will display the following screen. 



Answering 'Yes' will begin the process of adding customized hash. Please see the next section below. 

The Manage Certificate Hash screen provides keyboard controls for managing the hashes on the system. The following keys 
are valid when in the Manage Certificate Hash menu. 


Key 

Description 

Escape 

Exits from the menu. 

Insert 

Adds a customized certificate hash to the system. 

Delete 

Deletes the currently selected certificate hash from the system. 

+ 

Changes the active state of the currently selected certificate hash. 

Enter 

Displays the details of the currently selected certificate hash. 





































Adding Customized Hash 

When the Insert key is pressed in the Manage Certificate Hash screen, the following screen is displayed: 
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[ MAIN MENU ] 

Renote Configuration Enable/Disable ** 

Manage Certificate Hashes 
Set FQDN 

Set PKI DNS Suffix 
Beturn to Previous Menu 


Enter Hash Name 


[ESC]=Exit [ENTEH]=Subnit 


To add a customized certificate hash : Type the hash name (up to 32 characters). When you press Enter, you are 
prompted to enter the certificate hash value. 
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Renote Configuration Enable/Disable ** 

Manage Certificate Hashes 

Set FQDN 

Set PKI DNS Suffix 

Beturn to Previous Menu 







Enter Certificate (e.g. fiBCD-1234-fiBCD-lZ34-fiBCD-lZ34-fiBCD-1234-fiBCD-lZ34) 

3Z13-3213-3213-3Z13-3Z13-3213-3Z13-3Z13-3213 - 




[ESC]=Exit [ENTEH]=Subnit 


The Certificate hash value is a hexadecimal number (for SHA-1 it is 20 bytes for SHA-2 it is 32 bytes). If the value is not 
entered in the correct format, the message ''Invalid Hash Certificate Entered - Try Again" is displayed. When you press 






















'Enter', you are prompted to set the active state of the hash. 


Intel(B) Mandgenent Engine BIOS Extension v5.0.0.0008 
Copyright(C) 2003-07 Intel Corporation. All Rights Reserved. 

- r unTU U17UII i - 



Your response sets the active state of the customized hash as follows: 

• Yes - The customized hash will be marked as active. 

• No (Default) - The customized hash will add to the EPS but will not be active. 

Deleting a Hash 

When the Delete key is pressed in the Manage Certificate Hash screen, the following screen is displayed: 
。 NOTE; A certificate hash that is set to Default cannot be deleted. 
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[ MAIN MENU ] 

Renote Configuration Enable/Disable ** 

Manage Certificate Hashes 
Set FQDN 

Set PKI DNS Suffix 
Beturn to Previous Menu 



Actiye 

Default 

Class 3 Primary Cfl-Gl 
Class 3 Primary CA-G3 

[*] 

[*] 

[—] 

[—] 


Comod 

Starf 

name 


De let 

e this certificate 

hash? (V/H) 



[ESC]=E 


[INS]=Add 


[DEL]=Del 


: Act iu 


[ENTEn]=Uie 




This option allows deleting of the selected certificate hash. 

■ Yes - Intel MEBx sends the firmware a message to delete the selected hash. 

• No - Intel MEBx does not delete the selected hash, and returns to Remote Configuration. 

Changing the Active State 


When the '+' key is pressed in the Manage Certificate Hashes screen, the following screen is displayed: 



Remote Cont 巧 uration Enable/Disable ** 
Set FQDN 

Set PKI DNS Suffix 

rtcturn to Prcw ious Menu 




[ESC]=Exit [INS]=fldd [DEL]=Del [+]=flctiue [ENTER]=Uie 


Answering Y toggles the active state of the currently selected certificate hash. Setting a hash as active indicates that the hash 
is available for use during PSK provisioning. 

Viewing a Certificate Hash 


When the Enter key is pressed in the Manage Certificate Hash screen, the following screen is displayed: 








































Hash 

UeriSign Class 3 Primary Cfl-Gl 
UeriSign Class 3 Primary Cfl-G3 
Go Daddy Class 2 Cfl 
Comodo AAA CR 
Starfield Class Z Cfl 


Hash Name : UeriSign Class 3 Primary Cfl-Gl 

Hash Data ： 74ZC-3192-E607-E4Z4-EB45-4954-ZBE1-BBC5-3E61-74EZ 
DcfauIt : [—] 

Active: [*] 
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The details of the selected certificate hash are displayed to the user and include the following: 


• Hash Name 

• Certificate Hash Data 

• Active and Default States 


Previous Menu 


Under the Intel Remote Configuration menu, select Previous Menu and press Enter. 

The Intel Remote Configuration menu changes to the Intel Automated Setup and Configuration page. 


FW Update Settings 

Under the Intel ME Platform Configuration menu, select FW Update Settings and press Enter. 
The Intel ME Platform Configuration menu changes to the FW Update Settings page. 


c rL E rL rL 
























IntelCR) Manageitient Engine BIDS Extension u 巨， 0-1 - 邮 03 
Copyright CO 乙 003-08 Intel Corporation- All Rights Heseryed - 

I FW Update Settings ] = 


Secure FW Update 
Previous Menu 



Local FW Update 

Under the FW Update Settings menu, select Local FW Update and press Enter. 
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Intel ME Firmware Local Update provides the capability to allow or prevent firmware local update in the field. When the 
"Enabled" option is selected, the IT-admin is able to update the Intel ME firmware locally via the local Intel Management 
Engine interface or via the local secure interface. 

This local firmware update does not require an administrator user name and password. Therefore, once the local update is 
complete, this setting is automatically set to "Disabled" by the Intel ME firmware. This option must be set to ''Enabled" when 



















a local update is needed. 


Secure FW Update 

Under the FW Update Settings menu, select Secure FW Update and press Enter. 
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This option allows the user to enable or disable secure firmware updates. The Secure Firmware Update function requires an 
administrator user name and password. If the administrator user name and password are not supplied, the firmware cannot 
be updated. 

When the Secure Firmware Update feature is enabled, the IT administrator can update the firmware using the secure method. 
Secure firmware updates are performed via the LMS driver. 


Previous Menu 


Under the FW Update Settings menu, select Previous Menu and press Enter. 

The FW Update Settings menu changes to the Intel ME Platform Configuration page. 


Set PRTC 


Under the Intel ME Platform Configuration menu, select Set PRC and press Enter. 











け二 Exit 
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Change ME Password 
Password Policy 


Network Setup 
Activate Network Access 
Unconfigure Network Access 
Henote Setup find Ccmfiguration 
FW Update Settings 




y 


Valid date range: 1/1/2004 - 1/4/2021. Setting the PRTC value is used for virtually maintaining PRTC during the power-off 
(G3) state. 

Type PRTC in GMT (UTC) format (YYYY:MM:DD:HH:MM:SS) and press Enter. 


Power Control 

Under the Intel ME Platform Configuration menu, select Power Control and press Enter. 
The Intel ME Platform Configuration menu changes to the Intel Power Control page. 
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Idle Timeout 
Previous Menu 


[ESC]=Exi 


[t^]=Select 


[ENTER]=flccess 




















To comply with ENERGY STAR* and EUP LOT6 requirements, the Intel ME can be turned off in various sleep states. The Intel 
ME Power Control menu configures the Intel ME platform power-related policies. 


Intel ME ON in Host Sleep States 

Under the Intel ME Power Control menu, select Intel ME ON in Host Sleep States and press Enter. 
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The selected power package determines when the Intel ME is turned ON. The default power package can be modified by using 
FITC or by FPT. 

The end user administrator can choose which power package to use depending on the systems usage. 

The following table illustrates the details of the power packages. 

With Intel ME WoL, after the time-out tinner expires, the Intel ME remains in the M-off state until a command is sent to the 
ME. After this command has been sent, the Intel ME will transition to an MO or M3 state and will respond to the next 
command that is sent. A ping to the Intel ME will also cause the Intel ME to go into an MO or M3 state. 

The Intel ME takes a short time to transition from the M-off state to the MO or M3 state. During this time, Intel AMT will not 
respond to any Intel ME commands. When the Intel ME has reached the MO or M3 state, the system will respond to Intel ME 
commands. 


Power Package 

1 

2 

SO 

ON 

ON 

S3 

OFF 

ON/ ME WoL 

S4/S5 

OFF 

ON/ ME WoL 


Select the desired Power Policy and press Enter. 


。 NOTE; Putting a system into the provisioning state will automatically switch to Power Package 2. This can later be 
changed through WebUI, the management console, or MEBx. 


Idle Time Out 


Under the Intel ME Power Control menu, select Idle Time Out and press Enter. 
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Previous Menu 



This setting is used to enable the Intel ME Wake on and to define the Intel ME idle timeout in M3 state. The value should be 
entered in minutes. The value indicates the amount of time that the Intel ME is allowed remain idle in M3 before transitioning 
to the M-off state. 


。 NOTE: If the Intel ME is in MO, it will NOT transition to M-off. 


Previous Menu 

Under the Intel ME Platform Configuration menu, select Previous Menu and press Enter. 
The Intel ME Power Control menu changes to the Intel ME Platform Configuration page. 


Information on this page provided by Intel ■ 
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AMT Configuration 

After you completely configure the Intel® Management Engine (ME) feature, you must reboot before configuring the Intel AMT 
for a clean system boot. Select the Intel AMT configuration option from the Management Engine BIOS Extension 
(MEBx) main menu. This feature allows you to configure an Intel AMT-capable computer to support the Intel AMT 
management features. 

。 NOTE; You need to have a basic understanding of networking and computer technology terms, such as TCP/IP, DHCP, 
VLAN, IDE, DNS, subnet mask, default gateway, and domain name. Explaining these terms is beyond the scope of this 
document. 

The Intel AMT Configuration page appears. Below are quick links to the various sections. 

• Manageability Feature Selection 

O SOL/IDER 

■ Username and Password 

- SOL 

■ Redirection Mode 

■ Previous Menu 
o KVM Configuration 

■ KVM Feature Selection 

■ User Opt-in 

■ Opt-in Configurable from remote IT 

■ Previous Menu 
o Previous Menu 

The Intel AMT Configuration page contains the user-configurable options listed below. 


Manageability Feature Selection 

Under the Main Menu, select Intel AMT Configuration and press Enter. The Main Menu changes to the Intel AMT 
Configuration page. 

Under the Intel AMT Configuration menu, select Manageability Feature Selection and press Enter. 
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Previous Menu 


[ESC]=Ex け 


[ 个ム ]=Select 


[ENTER]=flccess 




























When the Manageability Feature Selection is enabled, the Intel ME manageability feature menu will be shown. Leaving it 
disabled means that manageability will not be enabled. 

SOL/IDER 

Under the Intel AMT Configuration page (with Intel AMT enabled), select SOL/IDER and press Enter. 

The Intel AMT Configuration page changes to the SOL/IDER page. 


Username and Password 


Under the SOL/IDER page select, Username and Password and press Enter. 
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SOL 

IDER 

Redirection Mode 
Previous Menu 



This option provides the user authentication for SOL/IDER session. If Kerberos* is used, this option should be set to 
DISABLED. The user authentication is handled through Kerberos. If Kerberos is not used, the IT administrator has the choice 
to enable or disable user authentication on SOL/IDER session. 


Option 

Description 

Enabled 

Username and Password is enabled 

Disabled 

Username and Password is disabled. 


SOL 


Under the SOL/IDER page, select SOL and press Enter. 
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Redirection Mode 
Previous Menu 



SOL allows the console input/output of an Intel AMT-managed client to be redirected to a management server console (if the 
client system supports SOL). If the system does not support SOL, this value cannot enable it. 


Option 

Description 

Enabled 

SOL is enabled 

Disabled 

SOL is disabled. 


。 NOTE; Disabling SOL does not remove this feature but only blocks it from being used. 

IDER 

Under the SOL/IDER page, select IDER and press Enter. 
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Redirection Mode 
Previous Menu 



IDE-R allows an Intel AMT-managed client to be booted by a management console from a remote disk image. If the client 
system does not support IDE-R, this value cannot enable it. 


Option 

Description 

Enabled 

IDER is enabled 

Disabled 

IDER is disabled. 


。 NOTE; Disabling IDER does not remove this feature but only blocks it from being used. 

Redirection Mode 


Under the SOL/IDER page select, Redirection Mode and press Enter. 
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IDER 



Legacy Redirection Mode controls how the redirection works. If set to disabled, the console needs to open the redirection 
ports before each session. This is meant for enterprise consoles and new SMB consoles that support opening the redirection 
ports. The old SMB consoles (before Intel AMT 6.0) which do not support opening the redirection ports function need to 
manually turn on the redirection port through this Intel MEBx option. 

When selecting the mode, the followinq message is displayed: _ 
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Username £ Password 
SOL 
IDER 

Redirect ion Mode 
Previous Menu 


[ESC]=Exit [ 个ム ] =Select [ENTER]=Access 


Redirecticm Mode must be enabled uhen using 
a legacy SMB Bedirection Console 



Option 

Description 

Disabled 

Legacy redirection Mode is disabled.(Default) 


The port is left open at all times when redirection is enabled in the Intel MEBx. It is the 





























Enabled same as what used to be SMB mode in previous projects. Old (before Intel AMT 6.0) 
SMB consoles will need this mode to succeed opening redirection sessions. 


Previous Menu 

Under the SOL/IDER page, select Previous Menu and press Enter. 
The SOL/IDER page changes to the Intel AMT Configuration page. 


KVM Configuration 


Under the Intel AMT Configuration page, select KVM Configuration and press Enter. 
The Intel AMT Configuration page changes to the KVM Configuration page. 

KVM Feature Selection 

Under the I KVM Configuration page, select KVM Feature Selection and press Enter. 
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User Opt-in 

Opt-in Configurable fro 向 remote IT 


Previous Menu 



Option 

Description 

Disabled 

Disable KVM Feature 

Enabled 

Enable KVM Feature 


。 NOTE: Disabling KVM does not remove this feature but disables it. KVM will not work in this case. 

User Opt-in 


Under the I KVM Configuration page, select User Opt-in and press Enter. 
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User Consent is fequiired for KUM Session 


The following options can be selected: 

Local User Consent is not required for remote establishment of KVM session 
Local User Consent is required for remote establishment of KVM session 


Opt-in Configurable from remote IT 


Under the I KVM Configuration page, select Opt-in Configurable from remote IT and press Enter. 
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Option 

Description 

Disable Remote Control 
of KVM Opt-in Policy 

This option disables the Remote User's ability to select User OPT-IN Policy. 

In this case only the local user can control the opt-in policy. 

Enable Remote Control 
of KVM Opt-in Policy 

Enables Remote User's ability to select User OPT-IN Policy. 


Previous Menu 

Under the KVM Configuration page, select Previous Menu and press Enter. 

The KVM Configuration page changes to the Intel AMT Configuration page. 

Previous Menu 

Under the Intel AMT Configuration page, select Previous Menu and press Enter 
The Intel AMT Configuration page changes to Main Menu page. 

* Information on this page provided by Intel ■ 
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Intel® Fast Call 

Intel® Fast Call for help is a feature that is available for VPro SKUs. An Intel Fast Call for help connection allows the end user 
to request assistance if the VPro system is outside the corporate network. If the BIOS allows an Intel Fast Call for help 
connection, the user can press the hot key/button (<Ctrl><h>) while the system is loading to initiate an Intel Fast Call 
connection. It is recommended to press F12 and select Fast Call for Help. 

。 NOTE; This feature will only be available when the IT administrator has configured the system to support it. 


Requirements 

Before an Intel Fast Call connection can be established from the Operating System, the VPro system must have: 

1. Environment detection enabled 

2. Remote Connection policy 

3. Management Presence Server (MPS) 


Putting it all Together 

In order to get the Intel Fast Call for help, the system needs to be in provisioned state. If the system supports Full VPro, Intel 
Fast Call for help will be available for use. If the system only supports Intel Standard Manageability, Intel Fast call for help is 
not enabled. 

1. Before an Intel Fast Call for help can be started, environment detection must be enabled. This allows Intel AMT to 
determine if the system is within the corporate network. This is configured through an ISV app. 

2. A remote connection policy must be created before an Intel Fast call for help can be initiated. The policy for the BIOS- 
initiated call does not need to be configured, but another policy must exist before initiating a help call from the BIOS. 
The BIOS must support the hot key that initiates the Intel Fast call for help. 

3. A management presence server must exist to answer the Intel fast calls for help. The management presence server 
resides in the DMZ zone. 

When all of these conditions are satisfied, the system is able to initiate an Intel Fast Call for help. 


Initiating Intel Fast Call for Help 

Once the feature has been fully configured, there are three methods for initiating an Intel Fast Call for help session. These 
include: 

• At the Dell splash screen press <Ctrl><h>. 

• At the Dell splash screen press <F12> for the One Time Boot Menu. 

o Select the last option titled Intel Fast Call for Help. 

• From Windows: 

1. Launch the Intel AMT privacy icon/application Intel Management Security Status. 

2. Switch to the Intel AMT tab. 

3. In the Remote Connectivity box, click Connect. 

Information on this page provided by Intel. 
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ME General Settings 

The following table lists the default settings for the Intel® Management Engine BIOS Extension (MEBx) on general settings 
page. 

Password 


Password admin 


Change Intel ME Password 


Change Intel ME Password blank 


Password Policy 



Default Password Only * 

Password Policy 

During Setup and Configuration 

Anytime 


Network Setup 


Network Name Settings 

Host Name 

blank 

Domain Name 

blank 

FQDN 

Dedicated 

Shared * 

Dynamic DNS 

Disabled * 

Enabled 

TCP/IP Settings 

Wired LAN IPv4 Configuration 

DHCP Mode 

Disabled 

Enabled * 

Wired LAN IPv6 Configuration 

IPv6 Feature Selection 

Disabled * 

Enabled 

The configuration page is displayed only if enabled is selected. 

IPv6 Interface ID Type 

Random ID * 

Intel ID 

Manual ID 

IPv6 Address 

blank 

IPv6 Default Router 

blank 

Preferred DNS IPv6 Addrress 

blank 

Alternate DNS IPv6 Address 

blank 





























Activate Network Access I Y / N 
Unconfigure Network Access Y / N 


Remote Setup and Configuration 


Current Provisioning Mode 

Provisioning Record 

RCFG 

Start Configuration 

Y/ N 

Provisioning Server IPv4/IPv6 

blank 

Provisioning Server FQDN 

blank 

TLS PSK 

Set PID and PPS 

blank 

Delete PID and PPS 

Y/ N 

TLS PKI 

Remote Configuration 

Disabled 

Enabled * 

PKI DNS Suffix 

blank 

Manage Hashes 


FW Update Settings 


FW Update Settings 


Always Open * 

Local FW Update Qualifier 

Never Open 


Restricted 

Secure FW Update 

Disabled 

Enabled * 


* Default setting 

**May cause Intel AMT partial unprovision 

1 Intel ME Platform State Control is only changed for Management Engine (ME) troubleshooting. 

2 Un-provision setting only seen if the box is provisioned. 




























AMT Configuration 

The following table lists the default settings for the Intel® Management Engine BIOS Extension (MEBx) on AMT configuration 
page. 


Manageability/Feature Selection 


SOL/IDER 

Username and Password 

Disabled 

Enabled * 

SOL 

Disabled 

Enabled * 

IDER 

Disabled 

Enabled * 

Legacy Redirection Mode 

Disabled 

Enabled * 

KVM Configuration 

KVM feature Selection 

Disabled 

Enabled * 

User Opt-in 

User Consent is not required for KVM session 

User Consent is required for KVM session * 

Opt-in Configurable from remote IT 

Disable Remote Control of KVM Opt-In Policy 

Enable Remote Control of KVM Opt-In Policy * 


。 NOTE: In order for KVM to work, the requirement must be Clarkdale/Arrandale CPU 
* Default setting 

**May cause Intel AMT partial unprovision 

1 Intel ME Platform State Control is only changed for Management Engine (ME) troubleshooting. 

2 In Enterprise mode, DHCP automatically loads the domain name. 

3 Un-provision setting only seen if the box is provisioned. 













Setup and Configuration Methods Overview 

As discussed in the Setup and Configuration Overview section, the computer has to be configured before the Intel AMT 
capabilities are ready to interact with management application. There are two methods to complete the provisioning process 
(in order from least complex to most complex): 

• Configuration service — A configuration service allows you to complete the provisioning process from a GUI console 
on their server with only one touch on each of the Intel AMT-capable computers. The PPS and PID fields are completed 
using a file created by the configuration service saved to a USB mass storage device. 

• MEBx interface — The IT administrator manually configures the Management Engine BIOS Extension (MEBx) settings 
on each Intel AMT-ready computer. The PPS and PID fields are completed by typing the 32 character and 8 character 
alphanumeric keys created by the configuration service into the MEBx interface. 

• TLS-PKI— Commonly referred to as Remote Configuration (RCFG) or Zero Touch Configuration (ZTC). This process 
utilizes a certificate associated with the ProvisionServer. The associated certificate hash must be listed within the Intel 
Management Engine BIOS Extension (MEBx). 


Details on using these various methods are available in the next few sections. 
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Configuration Service—Using a USB Device 

This section discusses Intel® AMT setup and configuration using a USB storage device. You can set up and locally configure 
password, provisioning ID (PID), and provisioning passphrase (PPS) information with a USB drive key. This is also called USB 
provisioning. USB provisioning allows you to manually set up and configure computers without the problems associated with 
manually typing in entries. 

。 NOTE; USB provisioning only works if the MEBx password is set to the factory default of admin. If the password has 
been changed, reset it to the factory default by clearing the CMOS. 


The following is a typical USB drive key setup and configuration procedure. For a detailed walk-through using Altiris® DelT"^ 
Client Manager (DCM), refer to the USB device procedure page. 

1. An IT technician inserts a US 巨 drive key into a computer with a management console. 

2. The technician requests local setup and configuration records from a setup and configuration server (SCS) through the 
console. 

3. The SCS does the following: 

1. Generates the appropriate passwords, PID, and PPS sets. 

2. Stores this information in its database. 

3. Returns the information to the management console. 

4. The management console writes the password, PID, and PPS sets to a setup.bin file in the USB drive key. 

5. The technician takes the USB drive key to the staging area where new Intel AMT-capable computers are located. The 
technician then does the following: 

1. Unpacks and connects computers, if necessary. 

2. Inserts the USB drive key into a computer. 

3. Turns on that computer. 

6. The computer BIOS detects the USB drive key. 

o If found, the BIOS looks for a setup.bin file at the beginning of the drive key. Go to step 7. 
o If no USB drive key or setup.bin file is found, then restart the computer. Ignore the remaining steps. 

7. The computer BIOS displays a message that automatic setup and configuration will occur. 

1. The first available record in the setup.bin file is read into memory. The process accomplishes the following: 

■ Validates the file header record. 

■ Locates the next available record. 

■ If the procedure is successful, the current record is invalidated so it cannot be used again. 

2. The process places the memory address into the MEBx parameter block. 

3. The process calls MEBx. 

8. MEBx processes the record. 

9. MEBx writes a completion message to the display. 

10. The IT technician turns off the computer. The computer is now in the setup state and is ready to be distributed to 
users in an Enterprise-mode environment. 

11. Repeat step 5 if you have more than one computer. 

Refer to the management console supplier for more information on USB drive key setup and configuration. 


USB Drive Key Requirements 

The USB drive key must meet the following requirements to be able to set up and configure Intel AMT : 

• It must be greater than 16 MB. 

• It must be formatted with the FAT16 or FAT32 file system. 

• The sector size must be 1 KB. 

• The USB drive key is not bootable. 

• The USB drive key is for AMT provisioning and not for any other purpose. 

• The USB key must not contain any other files whether hidden, deleted, or otherwise. 

• The setup.bin file must be the first file landed on the USB drive key (for legacy BIOS or Deir*^ OptiPlex^*^ 980). 

• The setup.bin file must be in the top directory (for UEFI BIOS or Deir*^ Latitude^*^ E6410 / E6410 ATG / E6510 

or Dell PrecisionTM Mobile Workstation M4500). 

Back to Contents Page 
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USB Device Procedure 


The default console package provided is the DelT^ Client Management (DCM) application. This section provides the procedure 

to set up and configure Intel® AMT with the DCM package. As mentioned earlier in the document, several other packages are 
available through third-party vendors. 

The computer must be configured and seen by the DNS server before you begin this process. Also, a USB storage device is 
required and must conform to the requirements listed in Configuration Service--Usina a USB Device. 

。 NOTE; The nature of management software is that it is not always dynamic or real time. In fact, sometimes if you tell a 
computer to do something, such as to reboot, you may just have to do it again before it will work. 


1.Format a USB device with the FAT 16 file system and no volume label and then set it aside. 
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2. Open the Altiris® Dell Client Manager application by double clicking the desktop icon or through the Start menu. 



pell Client! 
I Manager I 
: Standard ： 


3. Select AMT Quick Start from the left navigation menu to open the Altiris Console. 















































4. Click the < + > to expand the Intel AMT Ge 村 ing Started section. 
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5. Click the < + > to expand the Section 1.Provisioning section. 
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6. Click the < + > to expand the Basic Provisioning (without TLS) section. 
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7. Select Step 1.Configure DNS. 


The notification server with an out-of-band management solution installed must be registered in DNS as 
"ProvisionServer." 
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8. Click rest on the DNs Conriguration screen to verify that DNS has the ProvisionServer entry and that it resolves to 
the correct Intel setup and configuration server (SCS). 
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DNS Configuration 
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The IP address for the ProvisionServer and Intel SCS are now visible. 
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9. Select Step 2. Discovery Capabilities. 
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10. Verify that the setting is Enabled. If Disabled, click the checkbox next to Disabled and click Apply. 
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11.Select Step 3. View Intel AMT Capable Computers. 
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Any Intel AMT-capable computers on the network are visible in this list. 
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12. Select Step 4. Create Profile. 
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13. Click the ' + " symbol to add a new profile. 

























HthTiC Vtew が TmI ， RjfefhKtS C が 1I4 …ち Hdp > 


f P^ftTaaemtnt 
fri Swui'd 
bont 
ド, bon 

[み ro*ti?nO 


肿 fcri 


， 片 

。と! CVt *f E 
t 白化 i 
. 生。む fccbont 
Jt 。 Confyjral 
; ゴにが王 

3 0 54CW1 S. PnftWiTQ 

S 。出な; hS ^サか WO (、。加; T _。 

>¢1 い巧 1_ なろ 

がた口 15l む 5 口け f にが tii ゎ 
リ &; W も たが : い WE AMT に WKf* COfIBw 邮 
う T E .; が ■ 0"*SL* " が 16 
が i'.ta S. Gsirate ： SSiurt^v な巧 

W た巧 &■ ConFrgurc 化 itciTtfi 吐 Pt ■ が UKfliT' ■ 。 ■ な； 
W 5 ■巧え ViDTitDr わ "'' iHrvtf] Prowls 
リ日 ; wE- か ■ か h 巧 6 bWfir が。 

* □ &iS^»S*&F!!l' flSj 

. 中 '。 Sec bon ?1 Irtri 壬 AMT Taste 

二 ] ftcpof 古 

王こ 3 7 枕 


， 引 * グ |y 


Manage Profiles 


iPrnlilelD fPr 凸 lile Man 


ヨ 。: HyFfft が I 


化 

巧 Aj 柯な nfW 卜 





On the General tab, the administrator can modify the profile name and description along with the password. The 
administrator sets a standard password for easy maintenance in the future. Select the manual radio button and 
type a new password. 


























































The Network tab provides the option to enable ping responses, VLAN, WebUI, Serial over LAN, and IDE 
Redirection. If you are configuring Intel AMT manually, all these settings are also available in the MEBx. 



The TLS (Transport Layer Security) tab provides the ability to enable TLS. If enabled, several other pieces of 
information are required including the certificate authority (CA) server name, CA common name, CA type, and 
certificate template. 



The ACL (access control list) tab is used to review users already associated with this profile and to add new 
users and define their access privileges. 














































The Power Policy tab has configuration options to select the sleep states for Intel AMT as well as an Idle 
Timeout setting. It is recommended that Idle timeout is always set to 0 for optimal performance. 

A CAUTION; The setting for the Power Policy tab can potentially impact a computer's ability to remain E-Star 
4.0 compliant. 



14. Select Step 5. Generate Security Keys. 
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15. Select the icon with the arrow pointing out to Export Security Keys to USB Key. 
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16. Select the Generate keys before export radio button. 






























































17. Type the number of keys to generate (depends on the number of computers that need to be provisioned). The default 
is 50. 



18. The Intel ME default password is admin. Configure the new Intel ME password for the environment. 



19. Click Generate. Once the keys have been created, a link appears to the left of the Generate button. 































20. Insert the previously formatted USB device into a USB connector on the Provisioning Server. 

21. Click the Download USB key file link to download setup.bin file to the USB device. The USB device is recognized by 
default; save the file to the USB device. 

に NOTE; If additional keys are needed in the future, the USB device must be reformatted before saving the setup.bin file 
to it. 




















a. Click Save in the File Download dialog box. 



b. Verify the Save in; location is directed to the USB device. Click Save. 
















































c. Click Close in the Download complete dialog box. 
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The setup.bin file is now visible in the drive Explorer window. 



22. Close the Export Security Keys to USB Key and drive Explorer windows to return to the Altiris Console. 

23. Take the USB device to the computer, insert the device, and turn on the computer. The USB device is recognized 
immediately and you are prompted to 

Continue with Auto Provisioning (Y/N) 

Press く y>. 





















Intel(H) Management Engine BIDS Extension 

Copyright(C) 2 日日 3 -目？ Intel Corporation, fill Rights Reserved. 

Found USB Key for provisioning InteltR) AMT 
Continue with fluto Provisioning (If/N) 


Press any key to continue with system boot... 


Intel け） Hanagenent Engine BIDS Extension 

Copyright(C) 2003-日？ Intel Corpora*ion. All flights Reserved. 

Found USB Key for provisioning Intel(H) AMT 
Continue uiith fluto Provisioning (V/N) 


Intel(R) flHT Provisioning cortplete 

Press any key to ccmtimie with system boot … 


Intel(fl) Management Engine BIDS Extension 

Copyright(C) 2 如 3-0? Intel Corporation, fill Rights Reserved. 

Found USB Key for provisioning Intel【R) AMT 
Continue with fluto Provisioning け/ N) 


Intel(R) AMT Provisioning coinplete 

Press any key to ccmtimie with system boot … 

ME-BIQS Sync ^ Successful 


24. Once complete, turn off the computer and move back to the management server. 

25. Select Step 6. Configure Automatic Profile Assignments. 
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26. Verify that the setting is enabled. In the Intel AMT 之 . 0+ dropdown, select the profile created previously. 仁 onrigure the 
other settings for the environment. 
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27. Select Step 7. Monitor Provisioning Process. 
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The computers for which the keys were applied begin to appear in the system list. At first the status is 
Unprovisioned, then the system status changes to In provisioning, and finally it changes to Provisioned at 
the end of the process. 
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28. Select Step 8. Monitor Profile Assignments. 
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The computers ror whneh profiles were assigned appear in the list. Each computer is identified by the FQDN, 
UUID, and Profile Name columns. 
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Once the computers are provisioned, they are visible under the Collections folder in All configured Intel AMT 
computers. 
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System Deployment 

Once you are ready to deploy a computer to a user, plug the computer into a power source and connect it to the network. 

Use the integrated Intel® 82566 DM NIC. Intel Active Management Technology (Intel AMT) does not work with any other NIC 
solution. 

When the computer is turned on, it immediately looks for a setup and configuration server (SCS). If the computer finds this 
server, the Intel AMT-capable computer sends a Hello message to the server (user must first activate network access either 
via ME 巨 X or using Intel Activator). 

DHCP and DNS must be available for the setup and configuration server search to automatically succeed. If DHCP and DNS 
are not available, then the setup and configuration servers (SCS) IP address must be manually entered into the Intel AMT- 
capable computer's MEBx. 

The Hello message contains the following information: 

• Provisioning ID (PID) 

• Universally Unique Identifier (UUID) 

• IP address 

• ROM and firmware (FW) version numbers 

The Hello message is transparent to the end user. There is no feedback mechanism to tell you that the computer is 
broadcasting the message. The SCS uses the information in the Hello message to initiate a Transport Layer Security (TLS) 
connection to the Intel AMT-capable computer using a TLS Pre-Shared key (PSK) cipher suite if TLS is supported. 

The SCS uses the PID to look up the provisioning passphrase (PPS) in the provisioning server database and uses the PPS and 
PID to generate a TLS Pre-Master Secret. TLS is optional. For secure and encrypted transactions, use TLS if the infrastructure 
is available. If you do not use TLS, then HTTP Digest is used for mutual authentication. HTTP Digest is not as secure as TLS. 
The SCS logs into the Intel AMT computer with the username and password and provisions the following required data items: 

• New PPS and PID (for future setup and configuration) 

• TLS certificates 

• Private keys 

• Current date and time 

• HTTP Digest credentials 

• HTTP Negotiate credentials 

The computer goes from the setup state to the provisioned state, and then Intel AMT is fully operational. Once in the 
provisioned state, the computer can be remotely managed. 
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Operating System Drivers 

Within the operating system, the AMT Unified driver must be installed to remove unknown devices in the Device Manager. The 
driver is discussed below. Unlike previous versions (3, 4, or 5) where there were two separate HECI and LMS/SOL drivers 
from customer re-install stand-point, the current version provides both drivers in a common package called AMT Unified 
Driver. When the unified driver package is installed, it manages both PCI devices in the Device Manager. 


AMT Unified Driver 


The Intel® AMT Serial-Ove 卜 LAN (SOL) / Local Manageability Service (LMS) driver is available on support.dell.com and on 
the ResourceCD under Chipset Drivers. The driver is labeled Intel AMT SOL/LMS. Once the driver is obtained, execute the 
file; it unzips and prompts the user to continue the installation process. 

Once you install the SOL/LMS driver, the PCI Serial Port entry becomes the Intel Active Management Technology - SOL 
(COM3) entry. 


HECI Driver 


The Intel AMT Host Embedded Controller Interface (HECI) driver is available on support.dell.com and on the ResourceCD 
under Chipset Drivers. The driver is labeled Intel AMT HECI. Once the driver is obtained, execute the file; it unzips and 
prompts the user to continue the installation process. 

Once you install the HECI drivers, the PCI Simple Communications Controller entry becomes the Intel Management 
Engine Interface entry. 

Back to Contents Page 
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Intel AMT WebGUI 


The Intel® AMT WebGUI is a Web browser-based interface for limited remote computer management. The WebGUI is often 
used as a test to determine if Intel AMT setup and configuration was performed properly on a computer. A successful remote 
connection between a remote computer and the host computer running the WebGUI indicates proper Intel AMT setup and 
configuration on the remote computer. 

The Intel AMT WebGUI is accessible from any Web browser, such as Internet Explorer®. 

Limited remote computer management includes: 

• Hardware inventory 

• Event logging 

• Remote computer reset 

• Changing of network settings 

• Addition of new users 


。 NOTE; Information on using the WebUI interface is available on the Intel AMT website. 


Follow the steps below to connect to the Intel AMT WebUI on a computer that has been configured and set up. 


Intel AMT WebUI 

1. Turn on an Intel AMT-capable computer that has completed Intel AMT setup and configuration. 

2. Launch a Web browser from a separate computer, such as a management computer on the same subnet as the Intel 
AMT computer. 

3. Connect to the IP address specified in the MEBx and port of the Intel AMT capable computer, (example: 

http : //ip address:16992 or http : //1 92.168 .2.1:16992) 

• By default, the port is 16992. 

。 NOTE; Use port 16993 and https:// to connect to the Intel AMT WebUI on a computer that has been configured 
and set up in the Enterprise mode. 

• If DHCP is used, then use the fully qualified domain name (FQDN) for the ME. The FQDN is the combination of the host 
name and domain, (example: http : //host name：1 6992 or http://systemi: 1699 2) 

4. The management computer makes a TCP connection to the Intel AMT-capable computer and accesses the top level 
Intel AMT-embedded Web page within the Management Engine of the Intel AMT-capable computer. 

5. Type the username and password. The default username is admin and the password is what was set during Intel AMT 
setup in the MEBx. 

6. Review the computer information and make necessary changes. 

。 NOTE: You can change the MEBx password for the remote computer in the WebUI. Changing the password in the 
WebUI or a remote console results in two passwords. The new password, known as the remote MEBx password, 
only works remotely with the WebUI or remote console. The local MEBx password used to locally access the 
MEBx is not changed. You have to remember both the local and remote MEBx passwords to access the computer 
MEBx locally and remotely. When the MEBx password is initially set in Intel AMT setup, the password serves as 
both the local and remote password. If the remote password is changed, then the passwords are out of sync. 

7. Select Exit. 
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AMT Redirection Overview 


Intel® AMT makes it possible to redirect serial and IDE communications from a managed client to a management console 
regardless of the boot and power state of the managed client. The client need only have the Intel AMT capability, a 
connection to a power source, and a network connection. Intel AMT supports Serial Over LAN (SOL, text/keyboard redirection) 
and IDE Redirection (IDER, CD-ROM redirection) over TCP/IP. 


Serial Over LAN Overview 

Serial Over LAN (SOL) is the ability to emulate serial port communication over a standard network connection. SOL can be 
used for most management applications where a local serial port connection is normally required. 

When an active SOL session is established between an Intel AMT-enabled client and a management console using the Intel 
AMT redirection library, the client's serial traffic is redirected through Intel AMT over the LAN connection and made available 
to the management console. Similarly, the management console may send serial data over the LAN connection that appears 
to have come through the client's serial port. 


IDE Redirection Overview 


IDE Redirection (IDER) is capable of emulating an IDE CD drive, a legacy floppy, or an LS-120 drive over a standard network 
connection. IDER enables a management machine to attach one of its local drives to a managed client over the network. 
Once an IDER session is established, the managed client can use the remote device as if it were directly attached to one of 
its own IDE channels. This can be useful for remotely booting an otherwise unresponsive computer. IDER does not support 
the DVD format. 

For example, IDER is used to boot a client with a corrupt operating system. First, a valid boot disk is loaded into the 
management console disk drive. This drive is then passed as an argument when the management console opens the IDER 
TCP session. Intel AMT registers the device as a virtual IDE device on the client, regardless of its power or boot state. Both 
SOL and IDER may be used together since the client BIOS may need to be configured to boot from the virtual IDE device. 




Intel® Management and Security Status Application 


Intel® Management and Security Status (IMSS) is an application that displays information about a platform's Intel ⑥ Active 
Management Technology (Intel AMT) and Intel® Standard Manageability services. 

The Intel Management and Security Status icon indicates whether Intel AMT and Intel Standard Manageability are running on 
the platform. The icon is located in the notification area. By default, the notification icon is displayed every time Windows* 
starts. 

The Intel Management and Security Status application has a separate version per every Intel AMT generation (4.x, 5.x, 6.x). 
This is to describe the Intel Management and Security Status application for Intel AMT generation 6.x. 

Click here for more information Intel Management and Security Status Application. 

。 NOTE: If the Intel Management and Security Status application starts automatically as a result of the user logging on 
to Windows, the icon will be loaded to the notification area only if Intel AMT or Intel Standard Manageability is enabled 
on the platform. If the Intel Management and Security Status application is started manually (via the Start menu), the 
icon is loaded even if none of these technologies is enabled, as long as all the drivers have been installed. 

。 NOTE; The information displayed in the Intel Management and Security Status is not shown in real time. The data is 
refreshed at different intervals. 
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At the initial boot screen, press <Ctrl><p> to enter the MEBx screens. 

When a prompt for the password appears, type the new Intel ME password. 

Select Intel AMT Configuration, and then press Enter. 

Select Un-Provision, and then press Enter. 

Select Full Unprovision, and then press Enter. 

Reconfigure the settings under the Intel AMT Configuration menu option shown here. 
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T roubleshooting 

This page describes a few basic troubleshooting steps to follow if problems are experienced with the Intel® AMT configuration. 
Remember to always check DSN for more troubleshooting options. 


Return to Default 

Return to default is also known as un-provisioning. An Intel AMT setup and configured computer can be un-provisioned using 
the Intel AMT Configuration screen and the Un-Provision option. 

Follow the steps below to un-provision a computer: 

1.Select Un-Provision and then select Full Un-provision. 

Full un-provisioning is available for SMB Mode provisioned computers. This option returns all Intel AMT configuration 
settings to factory defaults and does NOT reset ME configuration settings or passwords. Full and partial un-provisioning 
is available for Enterprise Mode provisioned computers. Partial un-provisioning returns all Intel AMT configuration 
settings to factory defaults with the exception of the PID and PPS. Partial un-provisioning does NOT reset ME 
configuration settings or passwords. 

An un-provisioning message displays after about 1 minute. After un-provisioning completes, control is passed back to 
the Intel AMT Configuration screen. Provisioning Server, Set PID and PPS, and Set PRTC options are available 
again because the computer is set to the default Enterprise Mode. 

2. Select Return to previous menu. 

3. Select Exit and then press く y>. 

The computer restarts. 


Firmware Flash 

Flash the firmware to upgrade to newer versions of Intel AMT. The automatic flash feature can be disabled by selecting 
Disabled under the Secure Firmware Update setting in the MEBx interface. If this setting is disabled, a firmware error 
message appears when flashing the BIOS. 

The firmware CANNOT be flashed to an older version or to the current version installed. The firmware flash, when available, is 
located on the support.dell.com site for download. 


Serial-Over-LAN (SOL) / IDE Redirection (IDE-R) 

If you cannot use IDE-R and SO し follow these steps: 
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Back to Contents Page 






